Bump Dependencies (#897)

* UpdateBase

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

* Update

Author: Jefajers

scripts/Remove-AzOpsTestsDeployment.ps1

@@ -69,6 +69,7 @@
                 foreach ($subscription in $cleanupSub) {
                     $null = Set-AzContext -SubscriptionId $subscription.Id
                     $null = Get-AzResourceLock | Remove-AzResourceLock -Force
+                    Start-Sleep -Seconds 15
                     $script:resourceGroups = Get-AzResourceGroup | Where-Object {$_.ResourceGroupName -like "*-azopsrg"}
                     $script:roleAssignmentsCleanBase = Get-AzRoleAssignment | Where-Object {$_.Scope -ne "/"}
                     $script:roleAssignments = foreach ($roleAssignment in $script:roleAssignmentsCleanBase) {

src/AzOps.psd1

@@ -3,7 +3,7 @@
 #
 # Generated by: Customer Architecture Team (CAT)
 #
-# Generated on: 06/26/2024
+# Generated on: 9/3/2024
 #
 
 @{
@@ -51,11 +51,11 @@ PowerShellVersion = '7.2'
 # ProcessorArchitecture = ''
 
 # Modules that must be imported into the global environment prior to importing this module
-RequiredModules = @(@{ModuleName = 'PSFramework'; RequiredVersion = '1.10.318'; }, 
-               @{ModuleName = 'Az.Accounts'; RequiredVersion = '2.19.0'; }, 
-               @{ModuleName = 'Az.Billing'; RequiredVersion = '2.0.3'; }, 
-               @{ModuleName = 'Az.ResourceGraph'; RequiredVersion = '0.13.1'; }, 
-               @{ModuleName = 'Az.Resources'; RequiredVersion = '6.16.2'; })
+RequiredModules = @(@{ModuleName = 'PSFramework'; RequiredVersion = '1.11.343'; }, 
+               @{ModuleName = 'Az.Accounts'; RequiredVersion = '3.0.4'; }, 
+               @{ModuleName = 'Az.Billing'; RequiredVersion = '2.0.4'; }, 
+               @{ModuleName = 'Az.ResourceGraph'; RequiredVersion = '1.0.0'; }, 
+               @{ModuleName = 'Az.Resources'; RequiredVersion = '7.4.0'; })
 
 # Assemblies that must be loaded prior to importing this module
 # RequiredAssemblies = @()

src/data/template/Microsoft.Authorization/policyExemptions.jq

@@ -1 +1 @@
-del(.ResourceId, .ResourceGroupName, .SubscriptionId, .SystemData, .Properties.CreatedOn, .Properties.UpdatedOn, .Properties.CreatedBy, .Properties.UpdatedBy)
+del(.ResourceId, .resourceGroup, .subscriptionId, .properties.metadata.createdOn, .properties.metadata.updatedOn, .properties.metadata.createdBy, .properties.metadata.updatedBy, .properties.metadata.assignedBy)

src/data/template/Microsoft.Authorization/policyExemptions.template.jq

@@ -54,6 +54,10 @@
         Write-AzOpsMessage -LogLevel Verbose -LogString 'Get-AzOpsResourceDefinition.Processing.Detail' -LogStringValues 'Policy Assignments', $ScopeObject.Scope
         $policyAssignments = Get-AzOpsPolicyAssignment -ScopeObject $ScopeObject -Subscription $Subscription -SubscriptionsToIncludeResourceGroups $SubscriptionsToIncludeResourceGroups -ResourceGroup $ResourceGroup
         $policyAssignments | ConvertTo-AzOpsState -StatePath $StatePath
+        # Process policy exemptions
+        Write-AzOpsMessage -LogLevel Verbose -LogString 'Get-AzOpsResourceDefinition.Processing.Detail' -LogStringValues 'Policy Exemptions', $ScopeObject.Scope
+        $policyExemptions = Get-AzOpsPolicyExemption -ScopeObject $ScopeObject -Subscription $Subscription -SubscriptionsToIncludeResourceGroups $SubscriptionsToIncludeResourceGroups -ResourceGroup $ResourceGroup
+        $policyExemptions | ConvertTo-AzOpsState -StatePath $StatePath
     }
 
 }

src/internal/functions/Get-AzOpsPolicy.ps1

@@ -18,7 +18,7 @@
             Discover all custom policy assignments deployed at Management Group scope
     #>
 
-    [OutputType([Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicyAssignment])]
+    [OutputType([Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IPolicyAssignment])]
     [CmdletBinding()]
     param (
         [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

src/internal/functions/Get-AzOpsPolicyAssignment.ps1

@@ -14,7 +14,7 @@
             Discover all custom policy definitions deployed at Management Group scope
     #>
 
-    [OutputType([Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicyDefinition])]
+    [OutputType([Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IPolicyDefinition])]
     [CmdletBinding()]
     param (
         [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

src/internal/functions/Get-AzOpsPolicyDefinition.ps1

@@ -7,46 +7,61 @@
             Discover all custom policy exemptions at the provided scope (Management Groups, subscriptions or resource groups)
         .PARAMETER ScopeObject
             The scope object representing the azure entity to retrieve excemptions for.
+        .PARAMETER Subscription
+            Complete Subscription list
+        .PARAMETER SubscriptionsToIncludeResourceGroups
+            Scoped Subscription list
+        .PARAMETER ResourceGroup
+            ResourceGroup switch indicating desired scope condition
         .EXAMPLE
             > Get-AzOpsPolicyExemption -ScopeObject (New-AzOpsScope -Scope /providers/Microsoft.Management/managementGroups/contoso -StatePath $StatePath)
             Discover all custom policy exemptions deployed at Management Group scope
     #>
 
-    [OutputType([Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicyExemption])]
+    [OutputType([Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IPolicyExemption])]
     [CmdletBinding()]
     param (
         [Parameter(Mandatory = $true, ValueFromPipeline = $true)]
         [Object]
-        $ScopeObject
+        $ScopeObject,
+        [Parameter(Mandatory = $false)]
+        [object]
+        $Subscription,
+        [Parameter(Mandatory = $false)]
+        [object]
+        $SubscriptionsToIncludeResourceGroups,
+        [Parameter(Mandatory = $false)]
+        [bool]
+        $ResourceGroup
     )
 
     process {
         if ($ScopeObject.Type -notin 'resourceGroups', 'subscriptions', 'managementGroups') {
             return
         }
-
-        switch ($ScopeObject.Type) {
-            managementGroups {
-                Write-AzOpsMessage -LogLevel Debug -LogString 'Get-AzOpsPolicyExemption.ManagementGroup' -LogStringValues $ScopeObject.ManagementGroupDisplayName, $ScopeObject.ManagementGroup -Target $ScopeObject
+        if ($ScopeObject.Type -eq 'managementGroups') {
+            Write-AzOpsMessage -LogLevel Debug -LogString 'Get-AzOpsPolicyExemption.ManagementGroup' -LogStringValues $ScopeObject.ManagementGroupDisplayName, $ScopeObject.ManagementGroup -Target $ScopeObject
+            if ((-not $SubscriptionsToIncludeResourceGroups) -or (-not $ResourceGroups)) {
+                $query = "policyresources | where type == 'microsoft.authorization/policyexemptions' and resourceGroup == '' and subscriptionId == '' | order by ['id'] asc"
+                Search-AzOpsAzGraph -ManagementGroupName $ScopeObject.Name -Query $query -ErrorAction Stop
             }
-            subscriptions {
+        }
+        if ($Subscription) {
+            if ($SubscriptionsToIncludeResourceGroups -and $ResourceGroup) {
                 Write-AzOpsMessage -LogLevel Debug -LogString 'Get-AzOpsPolicyExemption.Subscription' -LogStringValues $ScopeObject.SubscriptionDisplayName, $ScopeObject.Subscription -Target $ScopeObject
+                $query = "policyresources | where type == 'microsoft.authorization/policyexemptions' and resourceGroup != '' | order by ['id'] asc"
+                Search-AzOpsAzGraph -Subscription $SubscriptionsToIncludeResourceGroups -Query $query -ErrorAction Stop
             }
-            resourcegroups {
+            elseif ($ResourceGroup) {
                 Write-AzOpsMessage -LogLevel Debug -LogString 'Get-AzOpsPolicyExemption.ResourceGroup' -LogStringValues $ScopeObject.ResourceGroup -Target $ScopeObject
+                $query = "policyresources | where type == 'microsoft.authorization/policyexemptions' and resourceGroup != '' | order by ['id'] asc"
+                Search-AzOpsAzGraph -Subscription $Subscription -Query $query -ErrorAction Stop
             }
-        }
-        try {
-            $parameters = @{
-                Scope = $ScopeObject.Scope
+            else {
+                Write-AzOpsMessage -LogLevel Debug -LogString 'Get-AzOpsPolicyExemption.Subscription' -LogStringValues $ScopeObject.SubscriptionDisplayName, $ScopeObject.Subscription -Target $ScopeObject
+                $query = "policyresources | where type == 'microsoft.authorization/policyexemptions' and resourceGroup == '' | order by ['id'] asc"
+                Search-AzOpsAzGraph -Subscription $Subscription -Query $query -ErrorAction Stop
             }
-            # Gather policyExemption with retry and backoff support from Invoke-AzOpsScriptBlock
-            Invoke-AzOpsScriptBlock -ArgumentList $parameters -ScriptBlock {
-                Get-AzPolicyExemption @parameters -WarningAction SilentlyContinue -ErrorAction Stop | Where-Object ResourceId -match $parameters.Scope
-            } -RetryCount 3 -RetryWait 5 -RetryType Exponential -ErrorAction Stop
-        }
-        catch {
-            Write-AzOpsMessage -LogLevel Warning -LogString 'Get-AzOpsPolicyExemption.Failed' -LogStringValues $ScopeObject.Scope
         }
     }
 

src/internal/functions/Get-AzOpsPolicyExemption.ps1

@@ -14,7 +14,7 @@
             Discover all custom policyset definitions deployed at Management Group scope
     #>
 
-    [OutputType([Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.Policy.PsPolicySetDefinition])]
+    [OutputType([Microsoft.Azure.PowerShell.Cmdlets.Policy.Models.IPolicySetDefinition])]
     [CmdletBinding()]
     param (
         [Parameter(Mandatory = $true, ValueFromPipeline = $true)]

src/internal/functions/Get-AzOpsPolicySetDefinition.ps1

@@ -152,19 +152,13 @@
                             $script:AzOpsPartialRoot = $runspaceData.runspace_AzOpsPartialRoot
                             $script:AzOpsResourceProvider = $runspaceData.runspace_AzOpsResourceProvider
                         }
-                        # Process Privileged Identity Management resources, Policies and Roles at managementGroup scope
-                        if ((-not $using:SkipPim) -or (-not $using:SkipPolicy) -or (-not $using:SkipRole)) {
+                        # Process Privileged Identity Management resources and Roles at managementGroup scope
+                        if ((-not $using:SkipPim) -or (-not $using:SkipRole)) {
                             & $azOps {
                                 $ScopeObject = New-AzOpsScope -Scope $managementgroup.id -StatePath $runspaceData.Statepath -ErrorAction Stop
                                 if (-not $using:SkipPim) {
                                     Get-AzOpsPim -ScopeObject $ScopeObject -StatePath $runspaceData.Statepath
                                 }
-                                if (-not $using:SkipPolicy) {
-                                    $policyExemptions = Get-AzOpsPolicyExemption -ScopeObject $ScopeObject
-                                    if ($policyExemptions) {
-                                        $policyExemptions | ConvertTo-AzOpsState -StatePath $runspaceData.Statepath
-                                    }
-                                }
                                 if (-not $using:SkipRole) {
                                     Get-AzOpsRole -ScopeObject $ScopeObject -StatePath $runspaceData.Statepath
                                 }
@@ -196,19 +190,13 @@
                     $script:AzOpsPartialRoot = $runspaceData.runspace_AzOpsPartialRoot
                     $script:AzOpsResourceProvider = $runspaceData.runspace_AzOpsResourceProvider
                 }
-                # Process Privileged Identity Management resources, Policies, Locks and Roles at subscription scope
-                if ((-not $using:SkipPim) -or (-not $using:SkipPolicy) -or (-not $using:SkipLock) -or (-not $using:SkipRole)) {
+                # Process Privileged Identity Management resources, Locks and Roles at subscription scope
+                if ((-not $using:SkipPim) -or (-not $using:SkipLock) -or (-not $using:SkipRole)) {
                     & $azOps {
                         $scopeObject = New-AzOpsScope -Scope ($subscription.Type + '/' + $subscription.Id) -StatePath $runspaceData.Statepath -ErrorAction Stop
                         if (-not $using:SkipPim) {
                             Get-AzOpsPim -ScopeObject $scopeObject -StatePath $runspaceData.Statepath
                         }
-                        if (-not $using:SkipPolicy) {
-                            $policyExemptions = Get-AzOpsPolicyExemption -ScopeObject $scopeObject
-                            if ($policyExemptions) {
-                                $policyExemptions | ConvertTo-AzOpsState -StatePath $runspaceData.Statepath
-                            }
-                        }
                         if (-not $using:SkipLock) {
                             Get-AzOpsResourceLock -ScopeObject $scopeObject -StatePath $runspaceData.Statepath
                         }
@@ -264,8 +252,8 @@
                     & $azOps {
                         ConvertTo-AzOpsState -Resource $resourceGroup -StatePath $runspaceData.Statepath
                     }
-                    # Process Privileged Identity Management resources, Policies, Locks and Roles at resource group scope
-                    if ((-not $using:SkipPim) -or (-not $using:SkipPolicy) -or (-not $using:SkipRole) -or (-not $using:SkipLock)) {
+                    # Process Privileged Identity Management resources, Locks and Roles at resource group scope
+                    if ((-not $using:SkipPim) -or (-not $using:SkipRole) -or (-not $using:SkipLock)) {
                         & $azOps {
                             $rgScopeObject = New-AzOpsScope -Scope $resourceGroup.id -StatePath $runspaceData.Statepath -ErrorAction Stop
                             if (-not $using:SkipLock) {
@@ -274,12 +262,6 @@
                             if (-not $using:SkipPim) {
                                 Get-AzOpsPim -ScopeObject $rgScopeObject -StatePath $runspaceData.Statepath
                             }
-                            if (-not $using:SkipPolicy) {
-                                $policyExemptions = Get-AzOpsPolicyExemption -ScopeObject $rgScopeObject
-                                if ($policyExemptions) {
-                                    $policyExemptions | ConvertTo-AzOpsState -StatePath $runspaceData.Statepath
-                                }
-                            }
                             if (-not $using:SkipRole) {
                                 Get-AzOpsRole -ScopeObject $rgScopeObject -StatePath $runspaceData.Statepath
                             }